registry  /  @neat.is/core  /  0.4.26

@neat.is/core@0.4.26

⚠ Under review

NEAT graph engine: tree-sitter extraction, OTel ingest, REST API

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 1.97 MB of source, external domains: 127.0.0.1, registry.npmjs.org

Source & flagged code

9 flagged · loading source
dist/server.cjsView file
686var import_node_path = __toESM(require("path"), 1); L687: var import_node_child_process = require("child_process"); L688: var LOCKFILE_PRIORITY = [
High
Child Process

Package source references child process execution.

dist/server.cjsView on unpkg · L686
dist/neatd.jsView file
78// ESM fallback — daemon CJS bundle has `require`, but typecheck wants this L79: eval("require") L80: );
High
Eval

Package source references dynamic code evaluation.

dist/neatd.jsView on unpkg · L78
20// src/web-spawn.ts L21: import { spawn } from "child_process"; L22: import { promises as fsp } from "fs"; L23: import net from "net"; L24: import path from "path"; ... L31: function projectRoot() { L32: const fromEnv = process.env.NEAT_SCAN_PATH; L33: return path.resolve(fromEnv && fromEnv.length > 0 ? fromEnv : process.cwd());
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/neatd.jsView on unpkg · L20
dist/chunk-BIY46Q6U.jsView file
125const specifier = "@xenova/transformers"; L126: const mod = await import(specifier); L127: pipelineFn = mod.pipeline;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-BIY46Q6U.jsView on unpkg · L125
56} L57: case "WebSocketChannelNode": { L58: const channel = node.channel; ... L85: function ollamaHost() { L86: return process.env.OLLAMA_HOST ?? null; L87: } ... L109: headers: { "content-type": "application/json" }, L110: body: JSON.stringify({ model, prompt: text }) L111: }); ... L114: } L115: const data = await res.json(); L116: out.push(Float32Array.from(data.embedding));
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/chunk-BIY46Q6U.jsView on unpkg · L56
dist/cli.jsView file
66import { L67: __dirname, L68: __require, ... L85: const candidates = [ L86: path.resolve(here, "../package.json"), L87: path.resolve(here, "../../package.json") ... L91: const raw = readFileSync(candidate, "utf8"); L92: const parsed = JSON.parse(raw); L93: if (parsed.name === "@neat.is/core" && typeof parsed.version === "string") { ... L153: "for prod OTel routing, set these in your deploy platform's env:", L154: " OTEL_EXPORTER_OTLP_ENDPOINT=https://<your-neat-host>:4318", L155: " OTEL_EXPORTER_OTLP_HEADERS=Authorization=Bearer <NEAT_AUTH_TOKEN>"
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L66
dist/chunk-QM6BMPVJ.jsView file
147Cross-file remote execution chain: dist/chunk-QM6BMPVJ.js spawns dist/chunk-A3322JYS.js; helper contains network access plus dynamic code execution. L147: packageMaxVersion: "2.88.2", L148: reason: "request is deprecated; use undici, node-fetch, or axios instead." L149: }, ... L161: var remoteLoadAttempted = false; L162: var REMOTE_CACHE_DIR = path.join(os.homedir(), ".neat"); L163: var REMOTE_CACHE_PATH = path.join(REMOTE_CACHE_DIR, "compat-cache.json"); ... L274: const raw = await fs.readFile(REMOTE_CACHE_PATH, "utf8"); L275: const parsed = JSON.parse(raw); L276: if (parsed.url !== url) return null; ... L303: remoteLoadAttempted = true; L304: const url = process.env.NEAT_COMPAT_URL; L305: if (!url) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunk-QM6BMPVJ.jsView on unpkg · L147
dist/cli.cjsView file
56Detached bundled service listener: dist/cli.cjs launches a Node helper and exposes a broad-bound HTTP listener. L56: if (opts.trustProxy) return; L57: const expected = Buffer.from(opts.token, "utf8"); L58: const suffixes = [...DEFAULT_UNAUTH_SUFFIXES, ...opts.extraUnauthenticatedSuffixes ?? []]; ... L74: opts.onReject?.(); L75: void reply.code(401).send({ error: "unauthorized" }); L76: return; ... L90: } L91: function readAuthEnv(env = process.env) { L92: const t = env.NEAT_AUTH_TOKEN; ... L347: } L348: function hasWebsocketUpgradeHeader(attrs) { L349: const v = attrs["http.request.header.upgrade"];
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/cli.cjsView on unpkg · L56
dist/chunk-XV4D7A3Z.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @neat.is/core@0.4.25 matchedIdentity = npm:QG5lYXQuaXMvY29yZQ:0.4.25 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-XV4D7A3Z.jsView on unpkg

Findings

1 Critical6 High5 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/chunk-XV4D7A3Z.js
HighChild Processdist/server.cjs
HighShell
HighEvaldist/neatd.js
HighSame File Env Network Executiondist/neatd.js
HighCross File Remote Execution Contextdist/chunk-QM6BMPVJ.js
HighSpawned Bundled Service Listenerdist/cli.cjs
MediumDynamic Requiredist/chunk-BIY46Q6U.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/chunk-BIY46Q6U.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings